Privacy in Web Standards

Nick Doty


Nick Doty,

Microsoft, iSchool, IO Lab, PhD: how are privacy and other values considered in technical design?
W3C: "Privacy", in practice this means corralling people and processes (Staff Contact and recruiting) more than engineering, a distinction I'll come back to later.
I'm speaking here as an iSchooler, not on behalf of W3C.

What I'll cover

Expose you to how this works so that you might be able to get involved, or understand how it works so that you could represent your organization in these discussions at some point.
Present early arguments to a friendly audience to try to get your feedback.
Hope to answer any questions you might have as I now have a sort of insider role.

The Standardization Process at W3C


The Standardization Process at W3C


Member-driven organization; Alternatives to a consensus decision-making process?

The Standardization Process at W3C

What is a standard?


Key properties:


Platform for Privacy Preferences Project


From tpl notes: what technical means does it propose? non-self-enforcing
what's notable about the process? what was cut?

Potential reading: Overview from Cranor and Reagle in Communications of the ACM, 1999


W3C Geolocation API

First of many Web specs that will implicate a particular type of privacy concern, which is one reason so many of us have gotten involved in it. More device APIs, etc. Geolocation is NOT part of HTML5, but HTML5 also has its own set of privacy implications, particularly around tracking (local storage, etc.).


Privacy Issues of the W3C Geolocation API

These debates were over who was making relevant privacy disclosures to the end user, but we also identified issues with minimization, aggregation, transparency which could fall more in the spectrum of self-enforcing.

Do Not Track

Tracking Protection Working Group


Tracking Protection/Selection/Filter lists in addition to Do Not Track; a Compliance document in addition to purely technical specs

Use of HTTP headers as a question of Web architecture, granular to the request level. Should there be a response header?

Preliminary conclusions

Beyond tracking and beyond privacy

"open, multi-stakeholder process" as a regulatory strategy